Updating expired StartCom Class 1 Primary Intermediate Server CA certificate

Certificate Error

Yesterday, Thunderbird popped up a stern certificate warning message stating that the "certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature".

That's interesting -- I've used this certificate for close to a year now (it expires in a couple of months) and hadn't made any changes.

After examining the certficate details for longer than I would care to admit, finally realized that the problem was with the Intermediate CA certificate (it expired on 2012-10-22), not my host certificate which is still good. I use a StartSSL certificate on the web server as well and it was the same problem there. Fortunately, fixing this was easy.


First identified the Intermediate certificate file Apache is using (SSLCertificateChainFile directive), then checked the date:

ak@web:~$ openssl x509 -noout -dates -in /etc/ssl/certs/StartSSL.sub.class1.server.ca.pem
notBefore=Oct 24 20:54:16 2007 GMT
notAfter=Oct 22 20:54:16 2012 GMT

Then downloaded the latest one:

root@web:~# curl -s http://www.startssl.com/certs/sub.class1.server.ca.pem > /etc/ssl/certs/StartSSL.sub.class1.server.ca.pem

Then confirmed it's ok at the shell:

ak@web:~$ openssl x509 -noout -dates -in /etc/ssl/certs/StartSSL.sub.class1.server.ca.pem
notBefore=Oct 24 20:54:17 2007 GMT
notAfter=Oct 24 20:54:17 2017 GMT

Then confirmed it's ok using a web browser. Nice. One thing that was interesting is that when I refreshed the page, Firefox (version 16 for Linux) picked up the change, while Chrome (Chromium 20 for Linux) didn't, not even after a restart -- had to clear the cache (Settings > Privacy > Clear browsing data... > Empty the cache), before the certificate warning went away.


Postfix, was only a bit trickier. Because I'm running Postfix chrooted (Debian default), it's using certs that are in /var/spool/postfix/etc/ssl/certs/ca-certificates.crt. It seems that the postfix init script places them there by grabbing from /etc/ssl/certs/, so the process is to identify which file contains the certificate for the StartCom Class 1 Primary Intermediate Server CA (in my case it was /etc/ssl/certs/StartSSL.sub.class1.server.ca.pem), update that and restart Postfix so it regenerates /var/spool/postfix/etc/ssl/certs/ca-certificates.crt:

root@mx:~# curl -s http://www.startssl.com/certs/sub.class1.server.ca.pem > /etc/ssl/certs/StartSSL.sub.class1.server.ca.pem
root@mx:~# /etc/init.d/postfix restart

Now after restarting my Thunderbird mail client and examining the certificate (Edit > Settings > Security > View Certificates > Authorities > StartCom Ltd. > StartCom Class 1 Primary Intermediate Server CA > View > Validity) shows new expiration date of 10/24/2017. Nice.

P.S. Here's the exact error message:

You are about to override how Thunderbird identifies this site.
Legitimate banks, stores, and other public sites will not ask you to do this.
Server: duck.mxcow.com
Certificate Status
  This site attempts to identify itself with invalid information
  Unknown Identity
  Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature.


  • 1. Toralf Förster replies at 27th October 2012, 10:20 am :

    Thx, helped me to fetch news from my preferred news server again.

  • 2. ccomb replies at 21st November 2012, 5:14 pm :

    thanks too !

  • 3. Someone replies at 29th December 2012, 7:06 am :

    Very helpful thx.

  • 4. nh2 replies at 31st August 2014, 3:11 pm :

    I’ve filed a bug for this: https://bugzilla.mozilla.org/show_bug.cgi?id=1060981

Leave a comment

NOTE: Enclose quotes in <blockquote></blockquote>. Enclose code in <pre lang="LANG"></pre> (where LANG is one of these).